Punk Ode: Hiding Shellcode in Plain Sight VeriSign Confidential and Proprietary Information Punk Ode...

Contains VeriSign Confidential and Proprietary Information

Punk OdeHiding Shellcode in Plain Sight

Greg MacManusResearcher of stuff, iDefense Labs

Michael SuttonDirector, iDefense Labs

2Contains VeriSign Confidential and Proprietary Information

Agenda

+ Background_ Shellcode history

+ What is Punk Ode?_ NOP sled generator++_ Shellcode steganography_ Image encoder with shellcode integrity checking

+ Embedding shellcode in image files_ PNG images_ JPEG images_ Other Miscellaneous details

+ Demo_ NOP-Palette_ The other tool

+ (Im)practical applications_ Efficient NOP sled generation_ Bypass active scripting requirement_ IDS evasion

+ Other file formats_ Sound files_ Video files_ Office documents_ Text files?


Shellcode History – Trivial Overflows

+ In the beginning there were trivial command line orenvironment variable overflows

+ The First Exploit Code (for a lot of people)_ Smashing the stack for fun and profit – Aleph1

– Find a command-line overflow in a setuid root program– Put a long string, the return address, a NOP sled and the shellcode

into an environment variable (EGG) and spawn a shell.– Run “./vulnerable-program $EGG”– Profit!

+ Even trivial exploits were not quite trivial_ As everyone knows from the Aleph1 paper, shellcode cannot

have null bytes because it would terminate the string.– So the shellcode has to be carefully written to avoid them.– Or you could just use Aleph1’s code. (Results 1-10 of about 11,800 for Aleph1 shellcode.)


Smashing the Stack – without removing null bytes

+ Lets look a little harder at those assumptions.– The shellcode is put in a string.

• A pointer to a null byte is a 0-length string.

– The string is stored in the environment - an array of strings• A sequence of char*, terminated by a null pointer.

– The whole environment is passed to the program• Not just the shellcode all strings in the environment.

– Can this ‘exit(1)’ shellcode be passed in the environment? C7C0 01000000: mov $0x1,%eax C7C3 01000000: mov $0x1,%ebx CD 80: int $0x80

Read the environ(5) manpage carefully: The variable environ points to an array of stringscalled the 'environment‘. … By convention these strings have the form 'name=value’.

• Convention means it’s just an agreement; nothing is forcing it tohave this form.

main(int argc,char *argv[]){ char *env[32]; int i=0; if(getenv("XXX"))abort(); env[i++]="XXX="; env[i++]="\xC7\xC0\x01"; env[i++]=""; env[i++]=""; env[i++]="\xC7\xC3\x01”; env[i++]=""; env[i++]="\xcd\x80"; env[i++]=0; execve(argv[0],argv,env);}(gdb) rStarting program: /tmp/xReading symbols from shared object read from target memory...done.Loaded system supplied DSO at 0xb7f76000

Program received signal SIGABRT, Aborted.0xb7f46402 in ?? ()(gdb) x/3i environ[1]0xbfa45fe6: mov $0x1,%eax0xbfa45fec: mov $0x1,%ebx0xbfa45ff2: int $0x80(gdb) # so it looks like you can store shellcode with nulls in the environment.


Shellcode History – cont’d

+ The previous trick is probably not all that useful now._ Non-executable stack and ASLR are becoming more common.

+ Some other limitations of using the environment or command line_ Remote vulnerabilities

– Difficult to get the remote server to start with $EGG in the environment• But there are CGI programs

– Limited buffer sizes• How small can you make your shellcode?

_ Not just null bytes to worry about.– More restricted characters as you look at more targets.– No newlines, no spaces, no tabs, no commas, no colons, no semi-colons,

no equals, no high bits, no control characters at all.• Write special shellcodes by hand for each special case!

– Hard work_ IDS evasion

– As more people learned about the techniques, people started wanting toknow how they were getting owned.


More Advanced Shellcode

+ Shellcode now is much more advanced than executing /bin/sh_ E.g. Metasploit 2.5 contains 25 different payloads and 9 encoders for

Win32, from simply executing a command to injecting a VNC server intoa remote process.– According to the schedule HD is actually talking in another room about the

latest version of Metasploit right now. And you are missing it.

+ Automatic shellcode generation._ Most use decoder stubs which extract and call the actual code

– XOR encoding– Alphanumeric shellcode– Unicode shellcode

_ NOP-sled generators– to avoid IDS NOP-detection.

• If you see 1000 0x90 characters in a row go to your server, it may bepart of an exploit.


What is Punk Ode?+ Punk Ode = Pun Code

_ pun (n)1. A play on words, sometimes on different senses of the same word and

sometimes on the similar sense or sound of different words._ Exploits the von Neumann architecture

– Data and code are indistinguishable to the computer– The meaning of a sequence of bytes is dependant on context

• If you throw them at the screen, they become pixels• If you make the computer jump into them, they become code

The hello-von-Neumann.exe binary embedded in an image.

$ cat hello-von-Neumann.c

#include <stdio.h>int main(int argc, char *argv[]){ printf("Hello, von Neumann architecture!\n");}$ cc –o hello-von-Neumann hello-von-Neumann.c

$


What is Punk Ode?

+ Pun code_ Punk Ode (n)

– A play on bytes.

_ It makes images which are visual puns• Entirely comprised of a NOP-sled and shellcode.• Load directly into your web browser

– PNG, GIF or JPEG format• They look pretty much like lormal pictures.

– Only slightly(*) more work than embedding theshellcode in a large image file to get it in memory

• Not just a theory.– Actual working exploits have been tested using this

method.


Proto-punk Ode – Way back in ‘02

+ First stage of research wasmany years ago_ Making huge, compressed

NOP-sleds.

+ Owning Netscape 6 for Funand Profit_ Netscape Bug Bounty

– $US1000 for codeexecution bugs.

– This motivated the initialresearch.

_ An early attempt– The colored stripes are

shellcode, other parts are“\xeb\x40” repeated.

– If you saw this you wouldknow ‘something is odd’.

A section of the NOP-sled/shellcode file from an exploit for the ‘jar’ bugreported here: http://bugzilla.mozilla.org/show_bug.cgi?id=157646


Proto-punk Ode – The original motivation

+ The main question the initial version was written to answer was:_ “How can I find my shellcode?”_ The internal state of a web browser could be pretty much anything at

the time the victim was exploited.– Multiple things going on

• Handling user input, Drawing the interface, Downloading images,webpages, Updating cache files, Executing JavaScript, helperapplications, Creating and destroying objects, Checking mail andnewsgroups.

– The heap was in an unknown state.• How long ago did they start the program? How many windows are

open?

_ If only there was a way to make the program allocate a huge amount ina fixed location…– malloc(size) used an mmap()ed chunk over certain size value.– for large enough values, it was almost always in a predictable range

_ The only thing left was working out how to put shellcode in that range.


Punk Ode - Psychophysics

_ Exploits the way people look at things– The eye is very forgiving of certain types of display errors.

• Relative brightness is more important than absolute.• Slight change in a color over space may be ok.• A little ‘noise’ may be ok.• Certain colors can be changed more than others.

– Brighter colors can have more variation from theoriginal values and still look ok.


How are images stored?

+ 2D image = 1D array of bytes

+ Color encoding_ Grayscale_ RGB_ CMYK_ YCrCb_ Indexed

+ Compression_ None – e.g. Raw BMP_ Lossless – e.g. PNG (zlib deflate compression, like gzip/pkzip)_ Lossy – e.g. JPEG (psychophysics using discreet cosine transfer)

+ File in memory_ Decompression results in 1D array in memory


Punk Ode – PNM+ PNM (Netpbm superformat )

_ PBM – Portable Bitmap– 1 bit per pixel

_ PGM – Portable Graymap– 8 bit per pixel (grayscale)

_ PPM – Portable Pix Map– 24 bit per pixel

+ Very simple image format

+ Easy to process and generate_ Used as intermediate format for Punk

Ode

+ Many open source utilities_ Netpbm () netpbm.sourceforge.net/

+ Punk Ode_ Makes extensive use of this format.

P63 2255!!~!~!~!!~~!~!~!~~

Contents of a PPM format image fileThe 4th line is the image data.

How the above PPM formatimage file displays (enlargedfrom 3 pixels by 2 pixels)


Punk Ode – PNG

_ A PNG contains at least– A PNG header– An image header,– A image array (compressed with the gzip ‘deflate’ method)

Each row has an extra byte which does stuff to make the image smaller.

– An image footer.– Every header (apart from the PNG header) has its CRC-32 stored next to it.

+ Additional relevant features supported by the specification andsome viewers._ Color correction mappings

– gAMA, cHRM, sRGB, iCCP

_ Transparency/Alpha– Some programs store 24 bit pixels padded to 32-bit per pixel.

• The extra byte is sometimes for the alpha value.• If not, you could try writing shellcode which has every 4th byte set to

the padding value.


Punk Ode – PNG

+ Example_ Original image - GIF

– 9KB

_ Converted to PNM, scaled up,– 115MB

_ Passed through NOP-Palette to add shellcode and converted to PNG– 1.2 MB


Punk Ode – JPEG

+ More complex_ JFIF – JPEG Format Image File_ Joint Photographic Experts Group (JPEG)

– Designed for photographs• Not appropriate for images with sharp lines and high contrast areas

_ Lossy– Psychophysics – Removes detail typically unnoticeable by human eye

• Adds complexity for Punk Ode – will mangle shellcode and NOPs– Changing a value in one location can impact adjacent locations

+ Punk Ode_ Restricted values used for NOP sled and shellcode_ ‘Lossy’ shellcode

– Maximize JPEG quality to limit loss– Shellcode with padding that can be removed without major impact– Carefully align shellcode– We have a decoder stub which is ‘JPEG safe’


Punk Ode – JPEG

+ Discrete Cosine Transfer (DCT)_ Breaks image into 8x8 pixel blocks_ Converts each block from spatial domain to frequency domain_ Discards those frequencies which don’t contribute ‘much’ to the overall

image_ Subject to rounding errors, therefore even maximum quality JPEG

images will experience loss


Punk Ode – Windows Byte Order

+ In memory, Microsoft often stores images in BGR (blue, green, red)byte order instead of RGB, which is utilized by most image formats

+ Punk Ode must account for this by flipping the red and bluecomponents of the shellcode and multi-byte NOPs

+ Internet Explorer handles images this way_ This adjustment is trivial for simple formats such as PNM and PNG_ This is a significant adjustment for complex formats such as JPEG

– Separate JPEG decoder stub created to handle this


Punk Ode – Color mapped Files

+ Indexed file format (e.g. GIF)_ Byte array stores pointers to a color map_ Limits the number of colors that are available

+ Punk Ode_ Limited color map also restricts values that can be used for shellcode

and NOPs_ By changing the order of the color map, you can change the contents of

the file when compressed without impacting the structure of the imagewhen uncompressed– This provides a trivial IDS evasion technique

• Similar to Metasploit’s WMF httpd using gzip transfer encoding.


What about vector based images?

+ Vector based image formats_ For example: SVG, WMF, CDR_ Based on lines, curves and filled areas instead of dots_ Almost everything described in this talk could work with vector graphics.

– Vector graphs aren’t as widely supported as raster images currently are.• MS06-001 – WMF AbortProc() exploitation used a helper application.

– Depending on the type of file and the viewing application, it may not even berendered to memory which is accessible• EMF and WMF for example do not appear to be rendered to a memory

buffer in the Windows Picture and Fax Viewer, but instead seem to onlyuse the GDI interface to handle display.

– Shellcode could still be put inside a file, crafted in such a way as to stillrender correctly.• could be put into an embedded image file within WMF file.


Punk Ode – How the tools relate to the process

+ Punk Ode is a collection of script, programs and methods_ Start with PNM base image

– This is what we want our shellcode to resemble

_ Convert to NOPs and add the shellcode– The tool NOP-Palette

• No promises, but better looking images at the cost of extra processingis the in development.

– The Other Tool• This is for JPEG tricks.

_ Convert to Final Image type– PNG

• Netpbm tool ‘pnmtopng’– If you’re good, we may integrate some other code to NOP-Palette

to do this.– JPEG

• libjpeg tool cjpeg with special command line options


Punk Ode – Tool Demo

+ NOP-Palette

+ The Other Tool


Punk Ode – Stages

1. Select original image

2. Rescale image+ Larger images take up more memory

3. Convert image to NOP sled+ Map each byte of the image to a valid op-codes (‘mostly’ NOPs)

4. Embed shellcode+ Preferably somewhere it is not obvious (e.g. border, noisy area, etc.)

5. Convert this file to the final format+ Lossy compression formats and other image traits may modify code

+ These modifications can often be accounted for


+ The purpose of the NOP-sled is to give the CPU something to dowhile it’s on its way to the shellcode.

+ Use safe instructions_ never changes important stuff.

– 0x90 - xchg EAX, EAX• More commonly known as ‘NOP’.

– 0x42 – inc EDX• So long as you don’t need the original value of EDX in the shellcode.

+ Unsafe instructions _ these will usually crash the sled.

– push, pop, call, ret• all require a usable stack

– Anything which dereferences a register– Privileged operations

Punk Ode – NOP Sled


Punk Ode – Byte Frequency Counts

+ The original image – I think he’s a hacker or something._ The byte counts show the relative amounts of each color component

(the Y-axis) by the intensity of that color component (the X-axis).

Original image Intensity histogram oforiginal image


Punk Ode – Spot the difference

+ Comparison of original and 8-bit indexed image_ Nothing extremely obvious has changed._ The histogram has spikes.

256 color optimal palette.

Intensity histogram of256 color image


Good enough to pass casual inspection?

+ Comparison of original and NOP encoded images_ His right arm looks like he’s been dumpster diving somewhere nasty.

– The original color values were in a range which contained lots of ‘unsafe’instructions, and the closest safe ones were chosen.

Whole image is a NOP-sled

Intensity histogram ofNOP-sled image

The nearly empty space in thecenter contains a large number

of ‘unsafe’ instructions.


Punk Ode – Shellcode

+ The previous image was just a NOP-sled_ We pretty much just changed the palette the image used.

– Also stopped it using too many prefixes and a couple of other things._ It’s possible to be more clever making the sled

– The range of op-codes from 0x70 to 0x7f is in the ‘unsafe’ range• These are jump short instructions, so they could be safe under some

conditions.– Other tricks based on what you are doing

• Only converting parts of an image– From offsets in the image, and memory

• Analyzing it as you go may let you– Force some conditional jumps and not change the skipped

bytes.– Not modify opcode arguments

• A few other tricks.

+ Shellcode constraints_ Lossless vs. lossy image compression

– What you see is not always what you got.– Lossy compression kills shellcode.

• You have to code around it.


Punk Ode –“Lossy Compression Safe” shellcode?

+ Challenge_ Lossy compression results in loss of information, this can damage

instructions (NOPs, and shellcode)– damage can be is non-localized– Available instructions may be dependent upon instructions several bytes

away, or several lines away.– Solutions

1. Carefully hand coded shellcode– Can be done using multiple iterative checks of code which is time

consuming.– Must adjust shellcode or placement if:

• Output image ≠ Input image• Shellcode altered

_ Semi-automatic modification is possible, at least for JPEG…

2. Shellcode decoder stub– Stub decoder uses the 1st approach so that the main shellcode doesn’t

have to.


Other file formats –Speculation on the Media

+ Sound_ PCM encoded WAV files – just like PNM except with sound_ Other lossless types are somewhere between PNG and GIF_ MP3 – More like JPEG

+ Video_ MPEG,AVI

– Most are like JPEG, but harder to understand.– Lossless types also exist – RLE encoding for example

+ Differences from images_ These aren’t usually decompressed into memory all at once.

– Bad – perhaps we can’t fill as much memory at once• Maybe we can… how many frames does it buffer?

– Good – We may not need to have a valid file if its big enough• This isn’t really Punk Ode style though, just using big files.


Punk Ode – Other file formats

+ Office Documents_ Can store PNG files in them_ Remember, if you can’t see it, it’s not Punk Ode

– But it still may work.

+ PDF_ Works great._ Easy to inject the code.

+ Text files_ Wouldn’t it be nice to be able use alphanumeric shellcode which read

like something in a natural language written by a human?_ Is it possible?


Punk Ode – (Im)practical applications

+ Why use a big image file?_ When you can’t control the return address, make the return address

valid._ Doesn’t require JavaScript like variations on SkyLined’s heap spraying

technique.– His method fills the heap with a long run of 0x0d followed by the shellcode.– The 0x0d bytes mean 2 (or 3) things, depending on how they are being

used• A 5 byte NOP-like instruction if it

– OR EAX, 0d0d0d0d• A valid address (which points to a valid address)

– 0d0d0d0d: 0d0d0d0d ; self-referential pointer– Many workarounds for vulnerabilities only workaround the exploit.

• Disabling JavaScript only stops JavaScript based vulnerabilities• Doesn’t prevent weird HTML or other file format parsing exploits

– It could prevent an exploit using SkyLined’s shellcode method– Would not stop Punk Ode method.


Detection/counter-measures/counter-counter-measures

+ Look for big files!_ Compression is good

– 8192x8192 light gray image with shellcode.• 192MB uncompressed raw image• PNG: 83KB, using mod_gzip to transfer it: 1084 bytes

+ Byte Frequency graphs_ The histograms for the normal images and the NOP-sled image in the examples

were totally different.– Page aligned memory allocation lets you do tricks with relative offsets in the file so,

without knowing precisely where in the image you are going to land, you can modifyonly those areas where are at the right offset, modulus the page size.

– The rest of the image can be crafted to cancel out any disturbance from the expectedfrequencies.

_ Possible counter-counter measure– Slice up the image and analyze them slices independantly– Look for variations in the variations between slices from different regions.– A lot of work. Definitely not something to do realtime.


IDS – Detecting the shellcode

_ IDS would have to be very fast and very smart– What the targeted program is.– How the targeted program handles that image format

• E.g: gAMA chunks in PNG format images: controls how things brightenas the value increases.– What is the default gamma value for the target application?– Will it even read it from the file?– What if the file is slightly malformed?– 2 gAMA tags?– A gAMA tag after the IDAT?– Does it do the rightit correctly?

• filter:progid:DXImageTransform.Microsoft.AlphaImageLoader()?!– Where does the compositing happen?

– How many files which expand to over 100MB of what could be interpreted asshellcode can your IDS system analyze per second?

_ If the IDS can emulates the browser, can the IDS be owned at the sametime? ;]


Speculation on detection

+ It may be possible to detect abnormal compression patterns_ Compare with compression applied to determine authorship/language

of text files.

+ But you really should be looking for some vulnerability beingtriggered, not shellcode.


One final nop sled example.


Questions?

Punk Ode: Hiding Shellcode in Plain Sight VeriSign Confidential and Proprietary Information Punk Ode...

Documents

Transcript of Punk Ode: Hiding Shellcode in Plain Sight VeriSign Confidential and Proprietary Information Punk Ode...